Difference between pages "Cellebrite UFED" and "Prefetch XML"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(New page: The Cellebrite 'Universal Forensic Extraction Device' , or UFED, is a unique and very cost effective mobile phone forensic device that is completely stand alone. As of September 2008, th...)
 
(Created page with "A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application. ==XML Example== <pre...")
 
Line 1: Line 1:
The Cellebrite 'Universal Forensic Extraction Device' , or UFED, is a unique and very cost effective mobile phone forensic device that is completely stand alone.  
+
A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.  
  
As of September 2008, the UFED is compatible with 1,625 mobile phones (including GSM, TDMS, CDMA), with the standard package containing 66 different phone cables. Wireless connection options are also integrated into the UFED, such as IR and Bluetooth.
+
==XML Example==
 +
<pre>
 +
<?xml version='1.0' encoding='ISO-8859-1'?>
 +
<prefetch>
 +
  <header>
 +
    <os>Windows 7</os>
 +
    <header_size>240</header_size>
 +
    <filename>ACRORD32INFO.EXE</filename>
 +
    <runs>3</runs>
 +
    <atime>2011-02-07T12:24:52</atime>
 +
  </header>
 +
  <volume>
 +
    <path>\DEVICE\HARDDISKVOLUME1</path>
 +
    <serial_number>b46f6927</serial_number>
 +
  </volume>
 +
  <creation>2010-08-18T06:13:10</creation>
 +
  <associated_files>
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
 +
    \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
 +
    \DEVICE\HARDDISKVOLUME1\$MFT
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
 +
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
 +
    \DEVICE\HARDDISKVOLUME1\USERS
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
 +
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
 +
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
 +
  </associated_files>
 +
</prefetch>
 +
</pre>
  
Using the MD5 Hash Algorithm, retrieved data includes:
+
==See Also==
+
* [[Prefetch]]
– Phonebook
+
– SMS and MMS messages
+
- SIM data
+
- Multimedia (images, videos, audio, ect.)
+
- Date and Time stamps
+
- Deleted data
+
- and much more.
+
  
The UFED is flexible enough to be used in many environments, such as:
+
[[Category:Digital Forensics XML]]
 
+
- Fixed to a desk in a crime lab connect to a PC
+
- Fixed to a desk in a crime lab (stand alone with no PC)
+
- Mobile in a car or at a VCP (connected to car 12V power)
+
- Mobile in the field (using battery kit)
+
 
+
While the UFED is completely stand alone, additional software is included to create specialised reports on the retrieved raw data. Customised reports give the additional option of containing your own logo, case file number, address, etc.
+

Revision as of 14:31, 29 June 2011

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>\DEVICE\HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
     \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
     \DEVICE\HARDDISKVOLUME1\$MFT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
     \DEVICE\HARDDISKVOLUME1\USERS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
     \DEVICE\HARDDISKVOLUME1\WINDOWS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
   </associated_files>
</prefetch>

See Also

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Cellebrite_UFED&oldid=10937"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox